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AUTHENTICATION IN A QUANTUM 
CRYPTOGRAPHIC SYSTEM 

GOVERNMENT CONTRACT 
[0001] The U.S. Government has a paid-up license in this invention and the right 
in limited circumstances to require the patent owner to license others on reason- 
able terms as provided for by the terms of (contract No. F30602-01-C-0170) 
awarded by DARPA. 

A. Field of the Invention 

[0002] The present invention relates generally to quantum cryptography, and 
more particularly, to authentication in quantum cryptographic systems. 

B. Description of Related Art 

[0003] Cryptography is the art of rendering a message unintelligible to any 
unauthorized party. To achieve this goal, an algorithm (also called a 
cryptosystem or cipher) is used to combine a message with some additional 
piece of information known as a "key" to produce a cryptogram. This technique 
is known as "encryption." For a cryptosystem to be secure, it should be 
impossible to unlock the cryptogram without the key. 
[0004] Two parties (hereinafter called "Alice" and "Bob") that wish to 
communicate using conventional cryptographic techniques may begin by 
agreeing on a key to use with the cipher. If Alice and Bob were previously able 
to communicate over a secure channel, they may have securely agreed on a key 
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to use in their future communications over unsecure channels. More generally, 
however, this may not be possible or practical, and Alice and Bob may desire to 
agree on a cryptographic key over an unsecure channel. In these situations, 
Alice and Bob need a technique for exchanging keys in which a potential 
eavesdropper, called Eve, is not able to also learn the key. 
[0005] Quantum cryptography is one known technique in which two users 
communicating over an unsecure communication channel can create a body of 
shared and secret information. This information may take the form of a random 
string of bits, which can then be used as a conventional secret key for secure 
communication. The advantage of quantum mechanical cryptography or 
quantum cryptography over traditional key exchange methods is that the 
exchange of information can be shown to be very secure, without making 
assumptions about the intractability of certain mathematical problems. Even 
when assuming hypothetical eavesdroppers with unlimited computing power, the 
laws of physics guarantee (probabilistically) that the secret key exchange will be 
secure. 

[0006] One well known quantum key distribution scheme involves a quantum 
channel, through which Alice and Bob send keys using polarized photons, and a 
public channel, through which Alice and Bob send ordinary messages. The 
quantum channel is a transmission medium that isolates the polarized photons 
from interaction with the environment. The public channel may comprise a 
channel on any type of communication network such as a Public Switched 
Telephone network, the Internet, or a wireless network. An eavesdropper, Eve, 
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may attempt to measure the photons on the quantum channel. Such 
eavesdropping, however, generally will induce a measurable disturbance in the 
photons in accordance with the Heisenberg uncertainty principle. Alice and Bob 
use the public channel to discuss and compare the photons sent through the 
quantum channel. If, through their discussion and comparison, they determine 
that there are no significant disturbances and, thus, sufficiently small evidence of 
eavesdropping, then the key material distributed via the quantum channel can be 
considered secret. 

[0007] In some quantum cryptography schemes, it is desirable to form an 
authenticated association between the quantum channel, and the conventional 
communications channel between the communicating entities. Authentication 
can be important so that, for example, Alice can be sure she is communicating 
with Bob, and not with some malicious interloper. Similarly, Bob would like to be 
able to authenticate that he is truly communicating with Alice. 
[0008] Thus, there is a need in the art for reliable authentication techniques that 
form an authenticated association between the optical channel and the 
conventional communication channel for quantum cryptographic sessions. 

SUMMARY OF THE INVENTION 
[0009] Techniques are disclosed herein for authenticating the quantum and 
public channels in a quantum cryptographic system. 
[0010] One aspect consistent with the invention is directed to a method of 
authenticating an optical channel. The method includes modulating optical 
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pulses corresponding to a first bit sequence based on a second bit sequence and 
transmitting the optical pulses over the optical channel. The method further 
includes receiving the modulated optical pulses, demodulating the received 
optical pulses using the second bit sequence, and authenticating the optical 
channel based on a number of bits from the first bit sequence that are correctly 
received and demodulated. 

[0011] A second aspect of the invention is directed to a method that includes 
receiving optical pulses corresponding to a first bit sequence that were 
modulated based on a second bit sequence, the optical pulses being received 
over an optical channel. The method further includes demodulating the received 
optical pulses using the second bit sequence and authenticating the optical 
channel based on a number of bits from the first bit sequence that are correctly 
received and demodulated. 

[0012] Another aspect of the invention is directed to a cryptographic device that 
includes a polarized pulse generator and a polarizing rotator. The polarized 
pulse generator emits optical pulses polarized in one of a first state and a second 
state based on values stored in a first bit sequence. The polarizing rotator 
rotates the optical pulses received from the polarized pulse generator by an 
angle specified by one or more bits from a second bit sequence to obtain a series 
of modulated optical pulses. The optical pulses are transmitted over an optical 
channel and used to authenticate the optical channel. 

[0013] Another aspect of the invention is directed to a cryptographic device that 
includes a polarization rotator that rotates optical pulses received over an optical 
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channel by an angle specified by one or more bits from a second bit sequence. 
The device further includes a polarizing beam splitter that receives the optical 
pulses rotated by the polarization rotator and a detector that generates 
indications of the polarizations of the received optical pulses. A counter 
tabulates a number of times the detector indicates that the received optical 
pulses are polarized in a state that matches a state of a corresponding bit in a 
first bit sequence. The optical channel is authenticated based on at least one 
count value of the counter. 

[0014] Still further, another aspect of the invention is directed to a cryptographic 
device that includes phase setting logic configured to determine an initial phase 
based on values stored in a first bit sequence and summing logic configured to 
add the initial phase to a second phase determined based on one on or more bits 
from a second bit sequence and to output a summed phase angle. A phase 
modulator modulates optical pulses by the summed phase angle to obtain a 
series of modulated optical pulses. The modulated optical pulses are transmitted 
over an optical channel and used to authenticate the optical channel. 



BRIEF DESCRIPTION OF THE DRAWINGS 
[0015] The accompanying drawings, which are incorporated in and constitute a 
part of this specification, illustrate the invention and, together with the description, 
explain the invention. In the drawings, 

[0016] Fig. 1 is a diagram illustrating an optics-based cryptography system; 
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[0017] Fig. 2 is a diagram that conceptually illustrates an exemplary system for 

implementing authentication in a dual-channel quantum cryptographic system; 

[0018] Fig. 3 is a flow chart illustrating operations consistent with the invention as 

performed at the transmitting side in the system shown in Fig. 2; 

[0019] Fig. 4 is a flow chart illustrating operations consistent with the invention as 

performed at the receiving side in the system shown in Fig. 2; 

[0020] Fig. 5 is a diagram that conceptually illustrates an alternate exemplary 

system for implementing authentication in a dual-channel quantum cryptographic 

system; 

[0021] Fig. 6 is a diagram illustrating an exemplary implementation in which 
authentication text information and authentication angles are combined into a 
single bit sequence; 

[0022] Fig. 7 is a flow chart illustrating operations performed consistent with the 
invention for implementing an authentication protocol that generates the 
authentication text and authentication angles post-facto; 
[0023] Fig. 8 is a flow chart illustrating operations performed consistent with the 
invention for implementing an authentication protocol that generates the 
authentication text and authentication angles pre-facto; 
[0024] Fig. 9 is a flow chart illustrating operations performed consistent with the 
invention for implementing an authentication protocol based on a challenge- 
response initiated by Alice; and 
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[0025] Fig. 10 is a flow chart illustrating operations performed consistent with the 
invention for implementing an authentication protocol based on a challenge- 
response initiated by Bob. 

DETAILED DESCRIPTION 
[0026] The following detailed description of the invention refers to the 
accompanying drawings. The same reference numbers in different drawings 
may identify the same or similar elements. Also, the following detailed 
description does not limit the invention. Instead, the scope of the invention is 
defined by the appended claims and equivalents. 
[0027] A quantum cryptographic system is described below that enables 
authentication on both a public and an optical channel. The authentication can 
be tied to both channels so that both parties can be assured that a single 
authenticated entity is at the other end of both channels. 

SYSTEM OVERVIEW 
[0028] Fig. 1 is a high-level diagram illustrating an optics-based cryptography 
system 100. A sender 101 ("Alice") would like to send an encrypted message to 
a receiver 102 ("Bob"). Two channels may be used to send the message: a 
public channel 110 and an optical (quantum) channel 120. Public channel 110 
may be any available communication medium between Alice and Bob, such as, 
for example, the Internet, a freespace optical or radio link, a public-switched 
telephone network, or a cellular or radio network. Quantum channel 120 may be 
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a purely quantum channel that is used for dissemination of, and agreement upon, 
cryptographic key material. Quantum channel 120 may be implemented through, 
for example, lasers transmitting via either free space quantum links or through 
fiber optic cables. 

[0029] In general, public channel 110 is a two-way channel in which messages, 
such as bit-streams in the form of packets, may be exchanged. Quantum 
channel 120 may be a one-way channel (not shown) or a two-way channel. As a 
one-way channel in either direction, Alice (or Bob) may prepare and modulate 
optical pulses, such as single photons, or a small number of photons, and 
transmit them to Bob (or Alice), who in turn detects the photons. As a two-way 
channel, one party may prepare a number of photons and the other party 
modulates, attenuates, and reflects the photons. The first party may then receive 
the reflected and attenuated result. In either situation, however, quantum 
channel 120 is distinct from public channel 110. Both the quantum and public 
channel may be susceptible to monitoring from a malicious third party, Eve. 
[0030] In operation, sender (Alice) 101 may use a quantum state generator 105 
to transmit a secret key to a quantum state detector 107 at receiver (Bob) 102. 
The key is transmitted over quantum channel 120 as a series of photons. The 
key may be negotiated between Alice and Bob using a standard quantum 
cryptography protocol such as the well-known BB84 protocol. 
[0031] Quantum state generator 105 may be, for example, a faint laser source 
that emits photons. Alternatively it may be a true source of single photons. 
Quantum state detector 107 may be a detector designed to detect the emitted 
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photons. Suitable quantum state generators 105 and quantum state detectors 
1 07 are known in the art. 

[0032] Once Alice and Bob have negotiated a secret key, they may both use the 
key to encrypt and decrypt messages sent over public channel 110. More 
specifically, Alice may encrypt/decrypt messages using encryption component 
106. Bob may encrypt/decrypt messages using a corresponding encryption 
component 108. 

AUTHENTICATION 
[0033] When communicating with cryptographic system 100, it is desirable that 
Alice and Bob are able to authenticate themselves with one another. In other 
words, Alice would like to be sure she is communicating with Bob and not a 
malicious interloper holding himself out as Bob. Similarly, Bob would like to be 
sure he is communicating with Alice. This authentication problem is further 
complicated because of the two distinct channels, public channel 110 and 
quantum channel 120, present in system 100. Thus, to obtain complete 
authentication, Alice would like to authenticate Bob on both quantum channel 
120 and public channel 110. It may be the case, for instance, that Alice and Bob 
are talking to each other on public channel 110, but that an interloper has 
hijacked quantum channel 120 so that Alice's quantum pulses are in fact going to 
that interloper rather than Bob. The interloper may in turn send its own pulses on 
to Bob in place of Alice's original pulses. 
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[0034] Consistent with aspects of the invention, systems and methods are 
described that allow Alice and Bob to authenticate each other on multiple 
channels — both the public channel 110 and quantum channel 120. Each party 
may thus be assured that a single (authenticated) entity is at the other end of the 
channels. 

[0035] Fig. 2 is a diagram that conceptually illustrates an exemplary system 200 
for implementing authentication in a dual-channel quantum cryptographic system. 
The quantum channel 120 in Fig. 2 is illustrated as being implemented using a 
polarization-based modulation scheme. The public channel is not explicitly shown 
in Fig. 2. 

[0036] In system 200, Alice and Bob may each store authentication text 201 and 
authentication angles 205. Both Alice and Bob store the same authentication 
text 201 and authentication angles 205. Authentication text 201 may be a 
relatively lengthy sequence, such as a sequence of binary digits (i.e., ones or 
zeroes). Authentication angles 205 represents a sequence of angles that will be 
used to modulate each bit in authentication text 201 . If K bits from authentication 
angles 205 are used to modulate each bit of authentication text 201 , then the 
total length of the authentication angles 205 will be K times the length of 
authentication text 201. In one implementation, authentication text 201 and 
authentication angles 205 may simply be randomly generated sequences of bits 
that Alice and Bob have previously shared with one another via, for example, a 
trusted courier. 
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[0037] System 200 may use a polarization-based modulation scheme. Horizontal 
polarizer 210 and vertical polarizer 215 may emit horizontally and vertically 
polarized photon pulses, respectively. Horizontal polarizer 210 and vertical 
polarizer 215 may each include a laser diode designed to emit respective 
horizontally and vertically polarized pulses. Alternatively a single source may be 
polarized. Whether a horizontally polarized photon or a vertically polarized 
photon is to be emitted can be determined by the current bit in authentication text 
201 (e.g., a one bit may indicate horizontal polarization and a zero bit may 
indicate vertical polarization). 

[0038] The polarized photon may be input to polarization rotator 220, which 
rotates its input photon by an adjustable angle. In this implementation, the angle 
to rotate the photon is determined by the corresponding K bits from 
authentication angles,205. Suitable polarization rotators are known in the art and 
will not be described further herein. The polarized and rotated photon is then 
transmitted from Alice to Bob. 

[0039] The receiving side of system 200 (Bob's side) complements the 
transmitting side (Alice's side) of system 200. In particular, this side may also 
include a polarization rotator 220, which rotates its received photon by the same 
adjustable angle supplied by Alice, but inverted, so as to undo the rotation 
supplied by Alice.. The receiving side of system 200 may also include a 
polarizing beam splitter 225 and photon counting detectors 235 and 240. 
Polarizing beam splitter 225 directs an input photon into either counting detector 
235 or counting detector 240 depending on the polarization (e.g., horizontal or 
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vertical) of the photon. In this manner, counting detector 235 may receive a 
photon and generate an output signal when a vertically polarized photon is 
received by polarizing beam splitter 225 and counting detector 240 may receive a 
photon and generate an output signal when a horizontally polarized photon is 
received by polarizing beam splitter 225. Counter 245 may tabulate the signals 
generated by counting detectors 235 and 240. 

[0040] Fig. 3 is a flow chart illustrating operations consistent with the invention as 
performed at the transmitting side (Alice) in system 200. Alice may begin by 
extracting the first or next K bits from authentication angles 205 (act 301). Based 
on these K bits, Alice sets a rotation angle, 9, (act 302) for polarization rotator 
220. The possible rotation angles can be any set of rotation angles that Alice 
and Bob have previously agreed upon and that are indexed by the K bits. For 
example, if K equals two, the rotation angles may be defined as 0 degrees when 
the two bits are 00, 90 degrees when the two bits are 01, 180 degrees when the 
two bits are 10, and 270 degrees when the two bits are 1 1 . 
[0041] Alice may also extract the next bit of the authentication text 201 (act 303). 
This bit of authentication text 201 may be used in conjunction with the 
authentication angle bits extracted in act 301 . Depending on the value of the bit, 
Alice may emit either a vertically or horizontally polarized pulse (acts 304, 305, 
and 306). The polarized pulse is passed through polarization rotator 220 and 
transmitted (acts 307 and 308). Acts 301-308 may be repeated until all the 
authentication text is sent (act 309). 
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[0042] Fig. 4 is a flow chart illustrating operations consistent with the invention as 
performed at the receiving side (Bob) in system 200. Bob extracts the next K bits 
from his copy of authentication angles 205 (act 401). Bob's K bits should be 
identical to the corresponding K bits extracted by Alice in act 301 . From the K 
bits , Bob determines the appropriate angle 9 using the same conventions used 
by Alice (act 402). Bob then sets the rotation angle of Bob's polarization rotator 
by negative 9, (act 403), to undue the rotation performed by Alice. 
[0043] Bob may then receive a photon pulse from Alice (act 404). The photon 
passes through Bob's polarization rotator 220, (act 405), which brings the pulse 
back to the normal vertical or horizontal polarization. The pulse may then pass 
through polarizing beam splitter 225 (act 406), which then activates the 
appropriate detector 235 or 240. 

[0044] Bob may extract the next bit from authentication text 201, (act 407), and 
compare the value of the bit to the value output from the activated detector (act 
408). If the values are identical, counter 245 may increment a "Correct Bits" 
counter (act 409). If the values are not identical, counter 245 may increment a 
"Bad Bits" counter (act 41 0). In this manner, Bob keeps track of the number of 
correctly received and incorrectly received bits. 

[0045] Bob may repeat acts 401-408 until all the authentication text information 
has been processed (act 411). 

[0046] At the end of the operations shown in Figs. 3 and 4, Alice will have 
prepared and sent all (or an agreed upon subset) of her authentication text 201 , 
each bit of the authentication text being modulated by a rotation angle supplied 
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from authentication angle information 205. Bob may detect some or all of these 
bits, again demodulated by an identical authentication angle sequence. In 
general, Bob may not detect all the photon pulses that Alice sends, because, for 
example, some of the pulses may get lost due to attenuation in the quantum 
channel, inefficiencies in Bob's detectors, etc. Also, some of the photons 
received by Bob may be interpreted incorrectly due to noise in the receiving side 
of system 200. However, at the end of the process, Bob will have a count of 
Correct Bits received and Bad Bits received. 

[0047] Bob may then determine whether a sufficient number of Correct Bits have 
been received. One possible technique Bob can use is to compute the 
percentage of received bits that are correct as Correct Bits / (Correct Bits plus 
Bad Bits). If an adversary has interposed himself between Alice and Bob but 
does not know the authentication text 201 or the authentication angles 205, this 
percentage is likely to be approximately 50%. If, however, Bob is indeed 
receiving the bits directly from Alice, on a perfect channel, this percentage should 
be 100%. However, if there is noise in the system, the percentage may be less 
than 100%. In one implementation, Bob may use a predetermined threshold for 
this percentage (e.g., 95%). If the percentage is greater than the percentage, 
Bob determines that he is indeed communicating with Alice. Bob may then 
inform Alice of his determination over public channel 110. 
[0048] One of ordinary skill in the art will appreciate that additional techniques 
may be used to determine if the count of Correct Bits and Bad Bits warrants a 
determination that Bob is communicating with Alice. For example, Bob may 
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additionally require that a certain number of bits be correctly received. Assume 
that Alice sends 1000 modulated pulses in a series, Bob may require that the 
percentage of correctly received bits be at least 95% and that at least 100 bits 
are received. 

[0049] Fig. 5 is a diagram that conceptually illustrates an alternate exemplary 
system 500 for implementing authentication in a dual-channel quantum 
cryptographic system. System 500 is similar to system 200, except that system 
500 uses phase modulation instead of polarization modulation. In general, phase 
modulation may be preferable when the optical signal is transmitted though 
telecommunication fiber, which tends to scramble polarization, and polarization 
modulation may be preferable when the optical signal is transmitted through free 
space. 

[0050] In system 500, Alice and Bob may each store the same authentication 
text 201 and authentication angles 205. A phase modulator 520, such as a 
modulator that includes unbalanced Mach-Zehnder interferometers, in which the 
modulation is applied via a phase modulator in one branch of the arm, may 
perform the phase modulation. The phase modulator 520 may be, for example, a 
conventional Lithium Niobate modulator or other known modulators. 
[0051] Initial phase setting logic 510 determines an initial phase, P, to input to 
phase modulator 520. In one implementation, the initial phase may be 0 degrees 
if the bit from authentication text 201 is a one and 90 degrees if the bit from 
authentication text 201 is a zero. Summer 515 may add the angle Pto an angle 
derived from the corresponding K bits from authentication angles 205 to obtain 
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P* a final phase modulation value for phase modulator 520. K may be, for 
example, 10 bits long, allowing for 1,024 distinct values for 9. 
[0052] Laser source 507 may be a conventional laser source for use in quantum 
cryptography. Pulses from laser source 507 are input to phase modulator 520, 
which modulates the phase by P + 9 degrees. 

[0053] On the receiving side, a corresponding phase modulator 520 modulates 
the received pulses by negative 9 degrees. A 50/50 (non polarizing) beam 
splitter 525 may receive the output of phase modulator 520. Phase modulator 
520 directs an input pulse into either counting detector 535 or counting detector 
540 depending on the phase (i.e., 90 degrees or 0 degrees) of the pulse. 
Counter 545 operates similarly to counter 245. That is, counter 545 increments a 
Correct Bits count or a Bad Bits count, depending on which counting detector is 
activated. 

[0054] For clarity, authentication text 201 and authentication angles 205 have 
been described as distinct pieces of information. In some implementations, 
however, it may be useful to use a single bit sequence as source of both 
authentication text 201 and authentication angles 205. 
[0055] Fig. 6 is a diagram illustrating an exemplary implementation in which 
authentication text 201 and authentication angles 205 are combined into a single 
bit sequence. In this implementation, the authentication text 201 and the 
authentication angle 205 are interleaved in a single bit sequence 600. Single bit 
sequence 600 may include a number of repeated authentication 
text/authentication angle pairs in which each pair includes a bit of the 
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authentication text 201 followed by the corresponding K bits of the authentication 
angles 205. In Fig. 6, a single pair 605 is illustrated. 

[0056] One of ordinary skill in the art will recognize that other arrangements for 
combining the authentication text 201 and the authentication angles 205 are 
possible and may be used. For example, the authentication text may be the 
"leftmost" bits in the combined sequence, followed by a series of authentication 
angles that form the "rightmost" bits. 

[0057] Other techniques than the one discussed above for mapping the K bits to 
the angle 0 are also possible. In the technique given above, the entire range of 
angles may be evenly divided among the number of possible states that the K 
bits represent. In an alternate possible technique, K may be equal to one and 
the angle values may be assigned as zero degrees (bit value of zero) and 45 
degrees (bit value of one). This is essentially a choice of one of two non- 
orthogonal bases for the authentication text bit to be transmitted. This technique 
may be advantageous because it makes it difficult for an eavesdropper to 
determine which basis was being used, and which value is being transmitted, 
with only a minimal number of bits for the authentication angles. 
[0058] One of ordinary skill will also recognize that a single source may be 
employed for systems and devices based on polarization as well as those based 
on phase modulation as depicted in Figure 5. 
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AUTHENTICATION PROTOCOLS 
[0059] Systems 200 and 500 (Figs. 2 and 5) illustrate systems that modulate 
optical pulses that may be used to implement authentication schemes. A number 
of authentication protocols may be layered on top of systems 200 and 500, some 
of which will now be described. 

[0060] One protocol for implementing authentication using systems 200 and 500 
includes distributing the authentication text and authentication angles as shared 
secret keys. In this protocol, Alice and Bob agree, in a secure manner, on the 
authentication text and the authentication angles. They may agree, for example, 
by sharing the secret keys via a courier or by constructing the secret keys from 
an ongoing cryptographic process (e.g., by a quantum cryptographic process), or 
by a classical process such as the Diffie-Hellman algorithm 
[0061] A second protocol for implementing authentication using systems 200 and 
500 may be based on secret authentication angles but known authentication text. 
The authentication text may be a publicly known series of bit values, such as a 
series of ones, and the authentication angles are shared between Alice and Bob 
as secret keys. In this implementation, Bob is simply checking whether quantum 
channel 120 is conveying the proper angle modulations. 
[0062] Another possible authentication protocol using systems 200 and 500 is 
based on generating the authentication text and authentication angles post-facto, 
from data transmitted over public channel 110. Fig. 7 is a flow chart illustrating 
operations performed consistent with the invention for implementing this protocol. 
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[0063] Alice and Bob may begin by communicating over public channel 110 (act 
701). The communication over public channel 110 may be encrypted using a 
symmetric key exchanged via quantum channel 120, as would be performed in a 
conventional quantum cryptographic system. A pre-designated block of the 
information communicated over the public channel, such as, for example, the first 
1000 bytes of the communication, may then be used by both Alice and Bob to 
create a message authentication code (MAC) (act 702). The MAC may be 
generated by performing a cryptographic hash, such as the well known HMAC, 
SHA-1 , or MD5 hash functions, on the block of information. Alternatively a 
universal hash function, or other information-theoretic hash, may be employed. 
Alice and Bob may then designate a portion of the MAC to form the 
authentication text and/or authentication angles (act 703). At this point, the 
derived authentication text and/or authentication angles may be used to 
authenticate quantum channel 120 using the techniques discussed above with 
reference to Figs. 3 and 4 (act 704). In this manner, Alice and Bob can verify 
that the optical channel is indeed properly linked to the public message 
communication channel. 

[0064] Another possible authentication protocol using systems 200 and 500 is 
based on generating authentication text and authentication angles pre-facto, from 
data transmitted over public channel 110. Fig. 8 is a flow chart illustrating 
operations performed consistent with the invention for implementing this protocol. 
[0065] Alice may begin by creating a MAC for a block of information that she 
would like to communicate with Bob (act 801). Alice may then transmit the MAC 



19 



Docket No.: 03-4029 

to Bob via the public channel (act 802). Alice and Bob may use the portion of the 
MAC to form the authentication text and/or authentication angles (act 803). At 
this point, the derived authentication text and/or authentication angles may be 
used to authenticate quantum channel 120 using the techniques discussed 
above with reference to Figs. 3 and 4 (act 804). Alice may then communicate the 
block of information to Bob via the public channel (act 805). Bob may then 
convert the block of information to a MAC, using the same technique that Alice 
used to initially generate the MAC, and verify that the newly converted MAC 
matches that MAC originally sent by Alice (act 806). In this manner, Alice and 
Bob can verify that the optical channel is properly linked to the public message 
communication channel. 

[0066] Another possible authentication protocol using systems 200 and 500 can 
be based on Alice initiating a challenge and response. Fig. 9 is a flow chart 
illustrating operations performed consistent with the invention for implementing 
this protocol. 

[0067] Alice may begin by generating a random nonce (random sequence of 0 
and 1 bits), which she will use to represent the authentication angles (act 901). 
Alice may then transmit the nonce to Bob over public channel 110 (act 902). 
Alice may also form a second random nonce, which she uses to represent the 
authentication text (act 903). Alice may then transmit the authentication text to 
Bob over quantum channel 120 using the authentication angles defined by the 
first nonce (act 904). Bob accumulates the received authentication text, (act 
905), and then transmits the received authentication text back to Alice over public 



20 



Docket No.: 03-4029 

channel 110 (act 906). Alice may compare the version of the authentication text 
she received from Bob to the original version of the authentication text that she 
generated (act 907). If the two versions are similar, Alice may accept that Bob 
controls both the public and the quantum channel. 

[0068] Another possible authentication protocol using systems 200 and 500 can 
be based on Bob initiating a challenge and response. Fig. 10 is a flow chart 
illustrating operations performed consistent with the invention for implementing 
this protocol. 

[0069] Bob may begin by generating a random nonce that he uses to represent 
the authentication text and authentication angles (act 1001). Bob may send the 
nonce to Alice over public channel 110 (act 1002). Alice may then use the 
authentication text and the authentication angles derived from the nonce to 
authenticate quantum channel 120 using the techniques discussed above with 
reference to Figs. 3 and 4 (act 1003). 

[0070] One of ordinary skill in the art will recognize that the authentication 
protocols described above may additionally be "blended" such that multiple of 
these protocols can be combined or aspects of the multiple protocols can be 
combined. 

CONCLUSION 

[0071] The quantum cryptographic system described above enables 
authentication between parties participating in encrypted communications. A 
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number of possible authentication protocols were also described that may be 
implemented using the physical system. 

[0072] It will be apparent to one of ordinary skill in the art that aspects of the 
invention, as described above, may be implemented in many different forms of 
software, firmware, and hardware in the implementations illustrated in the figures. 
The actual software code or specialized control hardware used to implement 
aspects consistent with the present invention is not limiting of the present 
invention. Thus, the operation and behavior of the aspects were described 
without reference to the specific software code or hardware logic. It should be 
understood that a person of ordinary skill in the art would be able to design or 
obtain software and control hardware to implement the aspects of the present 
invention based on the description herein. 

[0073] The foregoing description of preferred embodiments of the present 
invention provides illustration and description, but is not intended to be 
exhaustive or to limit the invention to the precise form disclosed. Modifications 
and variations are possible in light of the above teachings or may be acquired 
from practice of the invention. For example, although the term "optical" has been 
used herein, at least with respect to quantum channel 120, this does not limit the 
frequency of electromagnetic energy used in the present invention to that of the 
human-visible spectrum. Frequencies of electromagnetic energy below infra-red 
and above ultra-violet may be used. 

[0074] No element, act, or instruction used in the description of the present 
application should be construed as critical or essential to the invention unless 
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explicitly described as such. Also, as used herein, the article "a" is intended to 
include one or more items. Where only one item is intended, the term "one" or 
similar language is used. 

[0075] The scope of the invention is defined by the claims and their equivalents. 
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